Agenda item

Information Governance, Cyber Security and Data Protection Officer Update


The Committee will receive a presentation from Sara Hydon, Head of IT (Service Management) and Rob Winter (Data Protection Officer) providing an update on Information Governance, Cyber Security and Data Protection.


The Committee received a presentation from Sara Hydon, Head of IT (Service Management) and from Rob Winter, Data Protection Officer, which provided an update on Information Governance, Cyber Security and Data Protection.


Mr Winter reported on the following matters:


·         The DPO Review that had been undertaken. 

o   Good progress had been made generally and policies and guidance had been reviewed. 

o   Important improvements in processes for incident management and Data Protection Impact Assessments had been made

o   Reference was made to the excellent work of the Information Governance Team

o   The Information Governance Board had been reconstituted

o   Other work to focus upon included a review of the training offer, a review of internal procedures for the handling of complex SAR’s more effectively and the impact of Covid 19 and the subsequent change in working practices

·         DPO Assurance Reviews

o   Annual work was in progress to review certain aspects of compliance with the Data Protection Act and General Data Protection Regulations.  Areas to cover included:

§  Broad awareness assessment through a survey

§  Cyber and IT security considerations

§  Incident management

§  Contract provisions

o   A report on the reviews would be submitted to the Committee in due course

o   The Data Protection Officer/Head of Internal Audit, Anti-Fraud and Assurance was contributing to a number of Covid 19 related groups in order to ensure awareness of Data Protections matters


Mrs Hydon reported on the following:


·         Information Governance

o   The Covid 19 Implications and Opportunities

o   Incidents before and during the Covid 19 pandemic


There had been no major adverse impacts from an Information Governance perspective.  The type of work undertaken was outlined


·         The Data Sharing Protocol had been completed in accordance with the legal requirements (which were outlined) and in discussion with partners – it was noted that further issues might be raised as part of the Council’s recovery phase so work was progressing on ensuring that the Data Sharing Framework was robust

·         Achievements had been significant in relation to the paperless office and most employees no longer required paper records unless urgency dictated

·         There had been significant reduction in printing due to home working and the move to a ‘digital world’.  This had been a significant achievement and employees were embracing the need to adopt technological solutions

·         During the Covid 19 pandemic, the Service had ensured that full and robust processes were in place and the number of incidents had reduced.  In relation to any incidents taking place, appropriate training was being provided and lessons learned were followed up and checked.  In addition, constant reminders were issued to reduce the transportation of paper

·         The number of instances of disclosure in error had also reduced in part due to the introduction of email encryption software


·         Cyber Security

o   Covid 19 Implications and Homeworking – particular reference was made to the temporary arrangements in place and the assistance given to services and to schools.  The number of phishing emails had not increased due to homeworking.  Indeed, there had been just under a 50% reduction in the number of malicious and avoidable incidents reported, this was where controls had been put in place to stop other employees or Councillors clicking the same email

·         The Redcar and Cleveland Incident – details of this incident hadn’t been disclosed but appeared to relate to an infection by encryption malware that may have affected backup files.  Further information was awaited but this would be used as a learning opportunity to strengthen Barnsley’s own systems

·         Public Services Network – accreditation had been achieved at the beginning of March for a further year and work was ongoing in order to try to achieve accreditation the following year

·         Cyber Essentials Plus – it was hoped that certification could be achieved, and a further report would be submitted to the Committee in due course

·         DSP Toolkit – the Council’s Cyber Security Strategy had been approved by Cabinet on the 15th April 2020 and work was ongoing on future developments/enhancements

·         Strategic developments – reference was made to the way in which the Service took a strategic lead and communicated strategies to, amongst other things:

o   avoid cyber-attack across the council

o   embed policy, training and best practice


In response to previous questioning, reference was made to the membership of the Information Governance Board which acted on behalf of the Senior Management Team by providing a strategic lead for how the Council discharged its information governance responsibilities.  The work undertaken by the Board included the receipt of audits and assessments on issues such and PSN accreditation, Cyber Essentials Plus, Data Security and Protection Toolkit.  It also investigated areas of non-compliance and approved and prioritised the annual Improvement Plan.   The Board received reports on requests for information such as Freedom of Information, Data Protection and Environmental Information Regulations and advised on appropriate actions arising from those reports.  It also commissioned specific pieces of work or reports through Task and Finish Groups.


In response to specific questioning, Mrs Hydon reported that the Council’s back up data complied with all the legislative and accreditation requirements as detailed within the presentation.


RESOLVED that Rob Winter and Sara Hydon be thanked for their most informative and thought provoking presentation.

Supporting documents: